I have worked out how to make it so users can only add and remove
themselves from a tag:

access to dn.children="ou=tags,dc=example,dc=com" attrs=member,entry
# Allow people to add and remove themselves from any other tag
by dnattr=member selfwrite
# Allow anyone to read
by anonymous read

So far so good, but I would like authenticated users to be able to add
new entries (tags), and add themselves as members to them, but _not_ to
be able to delete tags.

Even better, the tag would be deletable, or even automatically removed,
but only if the user removed their own name and there were no more
members - i.e. it was empty. (I believe the member attribute is
mandatory in groupOfNames, and I don't want it to be impossible for
someone to remove their name because they are the only member!)

This is difficult, because as far as I can see the "write" permission
does not distinguish between adding and deleting.